sigma-rules

Author	SHA1	Message	Date
Austin Songer	d7eab5bbf3	[New Rule] AWS STS AssumeRole Usage (#1214 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_assumerole_abuse.toml * Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add note field * Update privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Adding Reference * Expand STS Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 15:56:10 -03:00
Austin Songer	27ba204f1c	[New Rule] GCP Kubernetes Rolebindings Created or Patched (#1267 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/gcp/credential_access_gcp_kubernetes_rolebindings_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update credential_access_gcp_kubernetes_rolebindings_creation.toml * Update and rename credential_access_gcp_kubernetes_rolebindings_creation.toml to credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml * Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml * Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml * Rename credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml to privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml * remove space from query Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-15 15:42:25 -03:00
Austin Songer	7123d46623	[New Rule] Azure Blob Permissions Modification (#1499 ) * Create defense_evasion_azure_blob_permissions_modified.toml * Update defense_evasion_azure_blob_permissions_modified.toml * Update defense_evasion_azure_blob_permissions_modified.toml * Update description and query (spacing) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-14 06:59:24 -03:00
Austin Songer	3d15c2072d	[New Rule] Azure Kubernetes Events Deleted (#1307 ) * Create defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add quotes to azure query field Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-14 06:57:33 -03:00
Austin Songer	11fa592c6f	[New Rule] Microsoft 365 - Impossible travel activity (#1344 ) * Create initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml * Updated Directory * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update initial_access_microsoft_365_impossible_travel_activity.toml * Update initial_access_microsoft_365_impossible_travel_activity.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-12 19:11:32 -03:00
Austin Songer	c8ac37957d	[New Rule] Microsoft 365 - User Restricted from Sending Email (#1345 ) * Create initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Update initial_access_microsoft_365_user_restricted_from_sending_email.toml * Fix technique * update description and FP Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-12 18:32:54 -03:00
Austin Songer	98c217ece9	[New Rule] Microsoft 365 - Potential ransomware activity (#1346 ) * Create impact_microsoft_365_potential_ransomware_activity.toml * Update impact_microsoft_365_potential_ransomware_activity.toml * Update impact_microsoft_365_potential_ransomware_activity.toml * Update * Update impact_microsoft_365_potential_ransomware_activity.toml * Update rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_microsoft_365_potential_ransomware_activity.toml * Update impact_microsoft_365_potential_ransomware_activity.toml * bump to prod Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-12 18:26:17 -03:00
Austin Songer	82e72a956b	[New Rule] AWS Route Table Modified or Deleted (#1258 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * Update persistence_route_table_modified_or_deleted.toml * remove space from query Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-12 15:16:48 -03:00
Austin Songer	9508002bb3	[New Rule] AWS ElastiCache Security Group Created (#1363 ) * Create persistence_elasticache_security_group_creation.toml * Update * Update rules/integrations/aws/persistence_elasticache_security_group_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Rename persistence_elasticache_security_group_creation.toml to defense_evasion_elasticache_security_group_creation.toml * Update defense_evasion_elasticache_security_group_creation.toml * Update defense_evasion_elasticache_security_group_creation.toml * Re-add rule.threat * Update rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * remove extra space from query Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-05 14:00:29 -03:00
Austin Songer	3b0d2006b7	Made these pull requests before the directory restructure. (#1517 ) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-05 09:29:40 -03:00
Austin Songer	0a3c44e8db	[Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created (#1514 )	2021-10-04 13:31:31 -08:00
Austin Songer	f41714642c	[New Rule] AWS ElastiCache Security Group Modified or Deleted (#1364 ) * Create impact_aws_elasticache_security_group_modified_or_deleted.toml * Rename impact_aws_elasticache_security_group_modified_or_deleted.toml to impact_elasticache_security_group_modified_or_deleted.toml * Update impact_elasticache_security_group_modified_or_deleted.toml * Update * Update rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update impact_elasticache_security_group_modified_or_deleted.toml * Update impact_elasticache_security_group_modified_or_deleted.toml * Rename impact_elasticache_security_group_modified_or_deleted.toml to defense_evasion_elasticache_security_group_modified_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-04 15:38:37 -03:00
Jonhnathan	ba9c01be50	Rename new_or_modified_federation_domain.toml to correspond with tactic (#1511 )	2021-09-30 13:08:35 -08:00
Jonhnathan	5e4a7e67df	[Rule Tuning] Small update on rule descriptions (#1508 )	2021-09-30 12:54:15 -08:00
Austin Songer	d28c48f20f	[New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted (#1393 )	2021-09-29 09:08:09 -08:00
Austin Songer	a51ed86851	[New Rule] New or Modified Federation Domain (#1212 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create persistence_new-or-modified-federation-domain.toml * Rename persistence_new-or-modified-federation-domain.toml to persistence_new_or_modified_federation_domain.toml * Update persistence_new_or_modified_federation_domain.toml * Update .gitignore Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update persistence_new_or_modified_federation_domain.toml * Update persistence_new_or_modified_federation_domain.toml * Update persistence_new_or_modified_federation_domain.toml * Update * Update persistence_new_or_modified_federation_domain.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-09-29 09:16:17 -03:00
Austin Songer	93b8038d7d	[New Rule] AWS STS GetSessionToken Abuse (#1213 ) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "ipapi.co", "ip-lookup.net", "ipstack.com" Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_getsessiontoken_abuse.toml * Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update .gitignore Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update * Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-09-22 16:28:02 -03:00
Justin Ibarra	8e3b1d28c4	[Rule Tuning] Fix typos in rule metadata (#1494 ) Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-09-21 16:31:00 -03:00
dstepanic17	9ff3873ee7	[rule-tuning] Adding more context with triage/investigation (#1481 ) * [rule-tuning] Adding more context with triage/investigation * Adding mimikatz rule * Fixed updated date on mimikatz rule * Adding Defender update * Adding scheduled task * Adding AdFind * Adding rare process * Adding cloudtrail country * Adding cloudtrail spike * Adding threat intel * Fixed minor spelling/syntax * Fixed minor spelling/syntax p2 * Update rules/cross-platform/threat_intel_module_match.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/ml/ml_rare_process_by_host_windows.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_mimikatz_powershell_module.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_mimikatz_powershell_module.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Removed MITRE link, added Microsoft * Update ml_cloudtrail_error_message_spike.toml * Update ml_cloudtrail_rare_method_by_country.toml * Update ml_rare_process_by_host_windows.toml * Update credential_access_mimikatz_powershell_module.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update discovery_adfind_command_activity.toml * Update lateral_movement_dns_server_overflow.toml * Update lateral_movement_scheduled_task_target.toml * Update persistence_evasion_registry_startup_shell_folder_modified.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update lateral_movement_scheduled_task_target.toml * Update persistence_evasion_registry_startup_shell_folder_modified.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-09-15 20:07:21 -05:00
Ross Wolf	c9d6527280	Revert #1440 new endpoint promotion rule (#1470 ) * Revert #1440 new endpoint promotion rule * Set the updated_at date	2021-09-03 08:07:20 -06:00
Nic	8b2c8c2e03	[Rule tuning] Azure Active Directory High Risk Sign-in (#1463 ) * Add Aggregated Risk Level * There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on. * An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types	2021-08-30 14:33:44 -08:00
Ross Wolf	675e870a30	Set min stack to 7.15 for Behavior Protection promotion	2021-08-26 08:53:02 -06:00
Ross Wolf	3b338baab0	[New Rule] Endpoint Security Behavior Protection (#1440 ) * [New Rule] Endpoint Security Behavioral Protection * Update readme and labeler for endpoint integration * Fix new rule to use event.code * Fix old rule to use event.code * Changed from behavioral to behavior * Rename elastic_endpoint_security_behavioral.toml to elastic_endpoint_security_behavior_protection.toml * Back from the future (updated_date) Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-08-25 09:56:59 -06:00
Austin Songer	3b29498907	[Rule Tuning] AWS Security Group Configuration Change Detection (#1426 ) * move rule "AWS Security Group Configuration Change Detection" to integrations directory and add "aws" integration	2021-08-14 20:34:13 -08:00
Justin Ibarra	f8f643041a	[Rule tuning] Revise rule description and other text (#1398 )	2021-08-03 13:07:47 -08:00
Justin Ibarra	b736d6e748	[Rule Tuning] Rule description tweaks (#1388 )	2021-07-29 10:56:13 -08:00
Ross Wolf	1882f4456c	[Fleet] Track integrations in folder and metadata (#1372 ) * Track integrations in folder and metadata * Remove duplicate entry * Update note and tests	2021-07-21 15:24:56 -06:00

... 8 9 10 11 12

577 Commits